<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.2.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">
  <link rel="stylesheet" href="/lib/pace/pace-theme-minimal.min.css">
  <script src="/lib/pace/pace.min.js"></script>

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"sekla.cn","root":"/","scheme":"Muse","version":"7.8.0","exturl":false,"sidebar":{"position":"right","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":"valine","storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="JOP原理JOP 即 Jump-oriented programming , 攻击与ROP攻击类似，同样利用二进制可执行文件中已有的代码片段来进行攻击。ROP使用的是ret指令来改变程序控制流，而JOP攻击利用程序间间接跳转和间接调用指令，如call指令来改变程序控制流。当程序在执行间接跳转或者是间接调用指令时，程序将从指定寄存器中获得其跳转的目的地址，由于这些跳转目的地址保存在寄存器中，而攻击者">
<meta property="og:type" content="article">
<meta property="og:title" content="JOP代码复用攻击的实现">
<meta property="og:url" content="http://sekla.cn/2022/01/13/jop-attack/index.html">
<meta property="og:site_name" content="Sekla&#39;s Blog">
<meta property="og:description" content="JOP原理JOP 即 Jump-oriented programming , 攻击与ROP攻击类似，同样利用二进制可执行文件中已有的代码片段来进行攻击。ROP使用的是ret指令来改变程序控制流，而JOP攻击利用程序间间接跳转和间接调用指令，如call指令来改变程序控制流。当程序在执行间接跳转或者是间接调用指令时，程序将从指定寄存器中获得其跳转的目的地址，由于这些跳转目的地址保存在寄存器中，而攻击者">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://s2.loli.net/2022/01/13/AcBQt5lumMLYX4E.png">
<meta property="og:image" content="https://s2.loli.net/2022/01/14/KmzoA7sNSE9t1DV.png">
<meta property="og:image" content="https://s2.loli.net/2022/01/14/1oMfAOLItjQ9zGm.png">
<meta property="og:image" content="https://s2.loli.net/2022/01/14/K6WVJicIL3pnwbZ.png">
<meta property="og:image" content="https://s2.loli.net/2022/01/14/IbhSCadfoY49AD6.png">
<meta property="og:image" content="https://s2.loli.net/2022/01/14/Q3fom7vR1UHYcwE.png">
<meta property="og:image" content="https://s2.loli.net/2022/01/14/OumqJINf13viFh4.png">
<meta property="og:image" content="https://s2.loli.net/2022/01/14/rcLS69Av2zmOsVo.png">
<meta property="og:image" content="https://s2.loli.net/2022/01/14/3xIkVM9EJDCQhT1.png">
<meta property="og:image" content="https://s2.loli.net/2022/01/14/QeKpm1tTGOfDVUE.png">
<meta property="og:image" content="https://s2.loli.net/2022/01/14/AC9IrSgG6aEdpXm.png">
<meta property="article:published_time" content="2022-01-13T04:39:04.000Z">
<meta property="article:modified_time" content="2022-01-13T17:17:31.321Z">
<meta property="article:author" content="Sekla">
<meta property="article:tag" content="C++">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://s2.loli.net/2022/01/13/AcBQt5lumMLYX4E.png">

<link rel="canonical" href="http://sekla.cn/2022/01/13/jop-attack/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>JOP代码复用攻击的实现 | Sekla's Blog</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

  <script type="text/javascript" src="/js/my_js/clicklove.js"></script>
<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --></head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">Sekla's Blog</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">Keep Learning Keep Doing</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签<span class="badge">14</span></a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类<span class="badge">23</span></a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档<span class="badge">100</span></a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>
  <div class="reading-progress-bar"></div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="http://sekla.cn/2022/01/13/jop-attack/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.jpg">
      <meta itemprop="name" content="Sekla">
      <meta itemprop="description" content="Sekla">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Sekla's Blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          JOP代码复用攻击的实现
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2022-01-13 12:39:04" itemprop="dateCreated datePublished" datetime="2022-01-13T12:39:04+08:00">2022-01-13</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2022-01-14 01:17:31" itemprop="dateModified" datetime="2022-01-14T01:17:31+08:00">2022-01-14</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E8%BD%AF%E4%BB%B6%E5%AE%89%E5%85%A8/" itemprop="url" rel="index"><span itemprop="name">软件安全</span></a>
                </span>
            </span>

          
            <span class="post-meta-item" title="阅读次数" id="busuanzi_container_page_pv" style="display: none;">
              <span class="post-meta-item-icon">
                <i class="fa fa-eye"></i>
              </span>
              <span class="post-meta-item-text">阅读次数：</span>
              <span id="busuanzi_value_page_pv"></span>
            </span><br>
            <span class="post-meta-item" title="本文字数">
              <span class="post-meta-item-icon">
                <i class="far fa-file-word"></i>
              </span>
                <span class="post-meta-item-text">本文字数：</span>
              <span>1.5k</span>
            </span>
            <span class="post-meta-item" title="阅读时长">
              <span class="post-meta-item-icon">
                <i class="far fa-clock"></i>
              </span>
                <span class="post-meta-item-text">阅读时长 &asymp;</span>
              <span>1 分钟</span>
            </span>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h1 id="JOP原理"><a href="#JOP原理" class="headerlink" title="JOP原理"></a>JOP原理</h1><p>JOP 即 Jump-oriented programming , 攻击与ROP攻击类似，同样利用二进制可执行文件中已有的代码片段来进行攻击。ROP使用的是<code>ret</code>指令来改变程序控制流，而JOP攻击利用程序间间接跳转和间接调用指令，如call指令来改变程序控制流。当程序在执行间接跳转或者是间接调用指令时，程序将从指定寄存器中获得其跳转的目的地址，由于这些跳转目的地址保存在寄存器中，而攻击者可以修改栈内容来修改寄存器内容，使得程序中间接跳转和间接调用目的地址能够被攻击者篡改。</p>
<p>当攻击者篡改寄存器内容时，攻击者就可以让程序跳转到攻击者所构建的gadget地址处，执行JOP攻击。</p>
<a id="more"></a>

<h1 id="JOP攻击示例"><a href="#JOP攻击示例" class="headerlink" title="JOP攻击示例"></a>JOP攻击示例</h1><p>展示一个攻击目的是利用系统调用<code>int 0x80</code>来开启一个新的命令行窗口，如果要达成此目的，那么在<code>int 0x80</code>被调用之前，应当将eax寄存器的值修改为<code>0x0000000b</code>,同时应当将ebx寄存器的内容修改成字符串<code>/bin/sh</code>，同时ecx和edx寄存器值必须为<code>0x00000000</code>,且以上修改字段都可以在程序运行时在内存中找到，除<code>0x0000000b</code>需要攻击者自行构造，利用缓冲区溢出修改栈即可。</p>
<p>我们需要利用程序中已有代码片段，将攻击者栈值修改成我们所需要的<code>0x0000000b</code>。</p>
<p><img src="https://s2.loli.net/2022/01/13/AcBQt5lumMLYX4E.png" alt="image-20220113231505983"></p>
<ol>
<li>首先计算出gadget和<code>int  0x80</code>的地址，然后利用缓冲区溢出漏洞填充要修改寄存器的值。</li>
<li>程序会执行gadget1，首先对栈初始化，指令使得栈中的数据出栈并保存在除esp寄存器外寄存器中，同时ebp寄存器保存了gadget2的地址，程序跳转到gadget2。</li>
<li>程序执行gadget2，bl寄存器保存<code>0x01</code>且<code>esi+edi*4-0xd</code>地址指向值<code>0xff</code>,同时add指令相加之后，将以上地址指向值修改为<code>0x00</code>即val中的第一个字节的内容。然后执行跳转<code>jump eax</code></li>
<li>随后重复以上步骤后，直到程序跳转至<code>int 0x80</code>处。</li>
</ol>
<h1 id="JOP攻击实战"><a href="#JOP攻击实战" class="headerlink" title="JOP攻击实战"></a>JOP攻击实战</h1><p> ROPgadget:<a target="_blank" rel="noopener" href="https://github.com/JonathanSalwan/ROPgadget/tree/master">https://github.com/JonathanSalwan/ROPgadget/tree/master</a></p>
<p>首先关闭地址随机化:</p>
<p><code>sudo sysctl -w kernel.randomize_va_space=0</code></p>
<p>安装ROPgadget：</p>
<p><img src="https://s2.loli.net/2022/01/14/KmzoA7sNSE9t1DV.png" alt="image-20220114000749410"></p>
<p>编写含漏洞的程序：</p>
<p><img src="https://s2.loli.net/2022/01/14/1oMfAOLItjQ9zGm.png" alt="image-20220114001636828"></p>
<p>从文件输入调用read调用来向缓冲区buf写入数据，但是存在缓冲区漏洞，然后文件输出hello world。</p>
<p>安装<code>sudo pip install pwn</code>工具，并编译漏洞文件。</p>
<p><img src="https://s2.loli.net/2022/01/14/K6WVJicIL3pnwbZ.png" alt="image-20220114001951514"></p>
<p>使用libc.so.6中的函数作为需要执行的攻击函数，该动态库包含了大量可利用代码，包括<code>system(&quot;/bin/sh&quot;)</code>，可以使用ROPgadget工具获取可利用代码片段，并通过pwntool漏洞来达到攻击目的，运行/bin/sh.</p>
<p><img src="https://s2.loli.net/2022/01/14/IbhSCadfoY49AD6.png" alt="image-20220114002345229"></p>
<p>使用pwntool产生一个50长度的字符串作为漏洞输入，检测溢出点，并使用gdb调试输入字符串，查看各个寄存器值：</p>
<p><img src="https://s2.loli.net/2022/01/14/Q3fom7vR1UHYcwE.png" alt="image-20220114004052193"></p>
<p>其中rbp寄存器指向地址高8字节即返回地址，由于buf大小为10字节。</p>
<p>找出system函数调用地址，/bin/sh地址：</p>
<p><img src="https://s2.loli.net/2022/01/14/OumqJINf13viFh4.png" alt="image-20220114004153062"></p>
<p>x64下函数前六个参数都保存在<code>rdi，rsi，rdx</code>等寄存器中，更多的参数保存在栈中，想办法把<code>/bin/sh</code>地址放到rdi寄存器中，然后执行system调用，可以利用rax寄存器，把<code>system</code>地址放在rax中，然后寻找到<code>jump rax</code>指令，跳转并执行system。首先寻找gadget：</p>
<p>安装完ROPgadget后，寻找并获取ret和jmp操作的地址，并将参数传入：</p>
<p><img src="https://s2.loli.net/2022/01/14/rcLS69Av2zmOsVo.png" alt="image-20220114005022851"></p>
<p><img src="https://s2.loli.net/2022/01/14/3xIkVM9EJDCQhT1.png" alt="image-20220114005043450"></p>
<p>然后就可以构造JOP：</p>
<p><img src="https://s2.loli.net/2022/01/14/QeKpm1tTGOfDVUE.png" alt="image-20220114011541414"></p>
<p>首先利用缓冲区溢出覆盖返回地址，随后把地址按 gadget 顺序填入漏洞程序缓冲区，运行脚本:</p>
<p><img src="https://s2.loli.net/2022/01/14/AC9IrSgG6aEdpXm.png" alt="image-20220114011709716"></p>

    </div>
    
    
    

      <footer class="post-footer">
          
          <div class="post-tags">
              <a href="/tags/C/" rel="tag"><i class="fa fa-tag"></i> C++</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2022/01/08/crypto-project/" rel="prev" title="Crypto++&pybind11&pyqt5实现简易加密软件">
      <i class="fa fa-chevron-left"></i> Crypto++&pybind11&pyqt5实现简易加密软件
    </a></div>
      <div class="post-nav-item"></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#JOP%E5%8E%9F%E7%90%86"><span class="nav-number">1.</span> <span class="nav-text">JOP原理</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#JOP%E6%94%BB%E5%87%BB%E7%A4%BA%E4%BE%8B"><span class="nav-number">2.</span> <span class="nav-text">JOP攻击示例</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#JOP%E6%94%BB%E5%87%BB%E5%AE%9E%E6%88%98"><span class="nav-number">3.</span> <span class="nav-text">JOP攻击实战</span></a></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Sekla"
      src="/images/avatar.jpg">
  <p class="site-author-name" itemprop="name">Sekla</p>
  <div class="site-description" itemprop="description">Sekla</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">100</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">23</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">14</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/ShenTiao" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;ShenTiao" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
      <span class="links-of-author-item">
        <a href="mailto:584892986@qq.com" title="E-Mail → mailto:584892986@qq.com" rel="noopener" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
      </span>
  </div>



      </div>

      <iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=330 height=86 src="//music.163.com/outchain/player?type=2&id=1416875904&auto=0&height=66"></iframe>
      
    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2022</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Sekla</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-chart-area"></i>
    </span>
    <span title="站点总字数">288k</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-coffee"></i>
    </span>
    <span title="站点阅读时长">4:22</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://muse.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Muse</a> 强力驱动
  </div>

        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    <span class="post-meta-item" id="busuanzi_container_site_uv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-user"></i>
      </span>
      <span class="site-uv" title="总访客量">
        <span id="busuanzi_value_site_uv"></span>
      </span>
    </span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item" id="busuanzi_container_site_pv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-eye"></i>
      </span>
      <span class="site-pv" title="总访问量">
        <span id="busuanzi_value_site_pv"></span>
      </span>
    </span>
</div>








      </div>
    </footer>
  </div>

  
  <script size="300" alpha="0.6" zIndex="-1" src="/lib/canvas-ribbon/canvas-ribbon.js"></script>
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/muse.js"></script>


<script src="/js/next-boot.js"></script>




  















  

  
      

<script>
  if (typeof MathJax === 'undefined') {
    window.MathJax = {
      loader: {
        source: {
          '[tex]/amsCd': '[tex]/amscd',
          '[tex]/AMScd': '[tex]/amscd'
        }
      },
      tex: {
        inlineMath: {'[+]': [['$', '$']]},
        tags: 'ams'
      },
      options: {
        renderActions: {
          findScript: [10, doc => {
            document.querySelectorAll('script[type^="math/tex"]').forEach(node => {
              const display = !!node.type.match(/; *mode=display/);
              const math = new doc.options.MathItem(node.textContent, doc.inputJax[0], display);
              const text = document.createTextNode('');
              node.parentNode.replaceChild(text, node);
              math.start = {node: text, delim: '', n: 0};
              math.end = {node: text, delim: '', n: 0};
              doc.math.push(math);
            });
          }, '', false],
          insertedScript: [200, () => {
            document.querySelectorAll('mjx-container').forEach(node => {
              let target = node.parentNode;
              if (target.nodeName.toLowerCase() === 'li') {
                target.parentNode.classList.add('has-jax');
              }
            });
          }, '', false]
        }
      }
    };
    (function () {
      var script = document.createElement('script');
      script.src = '//cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js';
      script.defer = true;
      document.head.appendChild(script);
    })();
  } else {
    MathJax.startup.document.state(0);
    MathJax.texReset();
    MathJax.typeset();
  }
</script>

    

  

<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"pluginRootPath":"live2dw/","pluginJsPath":"lib/","pluginModelPath":"assets/","tagMode":false,"debug":false,"model":{"jsonPath":"/live2dw/assets/shizuku.model.json"},"display":{"position":"left","width":250,"height":500},"mobile":{"show":false},"react":{"opacity":0.9},"log":false});</script></body>
</html>

<script type="text/javascript" src="/js/src/love.js"></script>
